security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #2813 from phantinuss/master

Browse Source 
Changes to falsepositives metadata
This commit is contained in:
frack113
2022-03-17 14:31:27 +01:00
committed by GitHub
parent 55afc660ea 043747822f
commit becf3baeb4
371 changed files with 375 additions and 410 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml
+1 -1
View File
@@ -23,5 +23,5 @@ detection:
Payload|contains: 'Expand-Archive'
condition: selection_4103
falsepositives:
- unknown
- Unknown
level: informational
rules/windows/powershell/powershell_module/posh_pm_get_clipboard.yml
+1 -1
View File
@@ -23,5 +23,5 @@ detection:
Payload|contains: 'Get-Clipboard'
condition: selection_4103
falsepositives:
- unknown
- Unknown
level: medium
rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml
+1 -1
View File
@@ -30,5 +30,5 @@ detection:
Payload|endswith: 'readtoend'
condition: selection_4103
falsepositives:
- unknown
- Unknown
level: medium
rules/windows/powershell/powershell_module/posh_pm_suspicious_ad_group_reco.yml
+2 -2
View File
@@ -26,10 +26,10 @@ detection:
- get-aduser
- '-f '
- '-pr '
- DoesNotRequirePreAuth
- DoesNotRequirePreAuth
condition: 1 of test_*
falsepositives:
- administrator script
- Administrator script
level: low
tags:
- attack.discovery
rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_generic.yml
-1
View File
@@ -30,6 +30,5 @@ detection:
- ' -noninteractive '
condition: all of selection*
falsepositives:
- Penetration tests
- Very special / sneaky PowerShell scripts
level: high
rules/windows/powershell/powershell_module/posh_pm_suspicious_invocation_specific.yml
+2 -2
View File
@@ -61,10 +61,10 @@ detection:
- 'Net.WebClient'
- '.Download'
filter_chocolatey:
ContextInfo|contains:
ContextInfo|contains:
- "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1"
- 'Write-ChocolateyWarning'
condition: 1 of selection* and not 1 of filter*
falsepositives:
- Penetration tests
- Unknown
level: high
rules/windows/powershell/powershell_module/posh_pm_suspicious_local_group_reco.yml
+3 -3
View File
@@ -14,14 +14,14 @@ logsource:
category: ps_module
detection:
test_3:
- Payload|contains:
- Payload|contains:
- 'get-localgroup'
- 'Get-LocalGroupMember'
- ContextInfo|contains:
- 'get-localgroup'
- 'Get-LocalGroupMember'
test_6:
- Payload|contains|all:
- Payload|contains|all:
- 'Get-WMIObject'
- 'Win32_Group'
- ContextInfo|contains|all:
@@ -29,7 +29,7 @@ detection:
- 'Win32_Group'
condition: 1 of test_*
falsepositives:
- administrator script
- Administrator script
level: low
tags:
- attack.discovery
rules/windows/powershell/powershell_module/posh_pm_suspicious_smb_share_reco.yml
+1 -1
View File
@@ -18,7 +18,7 @@ detection:
- ContextInfo|contains: get-smbshare
condition: selection
falsepositives:
- administrator script
- Administrator script
level: low
tags:
- attack.discovery